Updated: 2024-11-24 05:51:34.568062
Description:
A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | HIGH | 8.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
AlmaLinux 9.2 ESU | curl | 7.76.1 | 8.8 | HIGH | Already Fixed | 2023-11-10 02:29:52 | ||
CentOS 6 ELS | curl | 7.19.7 | 8.8 | HIGH | Released | CLSA-2023:1682347721 | 2023-05-04 17:05:36 | |
CentOS 7 ELS | curl | 7.29.0 | 8.8 | HIGH | Released | CLSA-2023:1697816385 | 2023-10-20 14:08:17 | |
CentOS 8.4 ELS | curl | 7.61.1 | 8.8 | HIGH | Released | CLSA-2023:1682348615 | 2023-04-24 11:05:00 | |
CentOS 8.5 ELS | curl | 7.61.1 | 8.8 | HIGH | Released | CLSA-2023:1682348848 | 2023-04-24 14:05:07 | |
CloudLinux 6 ELS | curl | 7.19.7 | 8.8 | HIGH | Released | CLSA-2023:1682347930 | 2023-05-04 17:05:36 | |
Oracle Linux 6 ELS | curl | 7.19.7 | 8.8 | HIGH | Released | CLSA-2023:1682348435 | 2023-04-24 11:05:02 | |
Ubuntu 16.04 ELS | curl | 7.47.0 | 8.8 | HIGH | Not Vulnerable | 2023-04-20 08:48:46 | ||
Ubuntu 18.04 ELS | curl | 7.58.0-2 | 8.8 | HIGH | Already Fixed | 2023-04-28 08:47:38 |